Hi!
On a Splunk forwarder (universal) some of the files monitored contain binary data that we do not want to send to the indexers.
It seems impossible to prevent the logging applications on the server from logging these binary parts, so the data is on a Splunk forwarder monitored log on the server.
The problem is that the binary data is within an event, meaning that the file itself is not binary.
Is there any way to use the `props.conf` directive `NO_BINARY_CHECK` on these files, or does that only apply to binary files, and not textfiles containing binary sections?
What would be the best way to remove the binary parts from the event before forwarding it to the indexers?
When the data enters the indexers it can be removed with SEDCMD, but to save bandwidth, and possibly indexing license, it would be nice if the binary part could be removed before it enters the indexers.
Any ideas?
↧